UK GDPR Compliance Statement

Learn about how we protect your personal data in accordance with UK GDPR and Data Protection Act 2018.

WebProject UK GDPR Compliance Statement

Introduction

The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 govern how organisations process personal data in the United Kingdom. These regulations ensure that personal data is processed lawfully, fairly, and transparently while protecting the rights and freedoms of data subjects. This compliance statement reflects our current obligations under UK GDPR as it stands post-Brexit, including all subsequent updates and amendments.

We are committed to maintaining the highest standards of data protection and privacy, ensuring compliance with both UK GDPR and the Data Protection Act 2018, as well as the Privacy and Electronic Communications Regulations (PECR) where applicable.

Definitions

Understanding the real, specific issues at stake in European regulations is not always an easy task, especially when the regulation in question contains 99 articles, 173 recitals and numerous lines of guidance on how it will apply. Understanding these issues is nonetheless essential in order to avoid any risks that may arise from an excessively broad or imprecise interpretation of your organisation's regulatory obligations. A proper understanding of the terms defined below is therefore essential:

Personal data:

any information relating to an identified or identifiable real person. An identifiable real person is defined as any real person who can be directly or indirectly identified.

Processing:

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, transmission, storage, conservation, extracting, consultation, use, disclosure by transmission and so on.

Controller:

the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor:

the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

For detailed information about the GDPR and data protection, visit the Information Commissioner's Office website:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Your GDPR Responsibilities

When you use our services to store or process personal data (including customer or user data), you are the Data Controller and WebProject acts as a Data Processor. This applies to all personal data you place on our servers either directly, via hosted websites, or through any of our other services.

Under UK GDPR, as a Data Controller, you must ensure that any Data Processor services you use are compliant with data protection regulations. This includes conducting due diligence on our services and ensuring appropriate contractual terms are in place, including Data Processing Agreements (DPAs) that meet UK GDPR requirements.

This statement provides the necessary information to demonstrate our compliance and support your obligations as a Data Controller.

Our GDPR Commitment

WebProject is committed to maintaining full compliance with UK GDPR, Data Protection Act 2018, and PECR. Our compliance framework is regularly reviewed and updated by qualified data protection professionals to ensure alignment with current regulatory requirements.

Our ongoing compliance measures include:

  • Annual data protection training for all staff with regular refresher sessions
  • Comprehensive data protection impact assessments (DPIAs) for new services and significant changes
  • Regular audits of all systems, processes, and third-party services for GDPR compliance
  • Continuous monitoring and improvement of data protection measures
  • Updated Data Processing Agreements (DPAs) that meet current UK GDPR requirements
  • Clear data retention and deletion policies aligned with UK GDPR principles
  • Established procedures for handling data subject requests (access, rectification, erasure, etc.)
  • Incident response procedures for potential data breaches

Our compliance framework ensures:

  • Regular compliance assessments against UK GDPR requirements
  • Appropriate technical and organisational measures (TOMs) for data security
  • Due diligence on all sub-processors and third-party providers
  • Strict access controls with role-based permissions and audit trails
  • Data localisation within the UK and approved jurisdictions
  • Staff certification in data protection and ongoing professional development
  • Compliance with international data transfer mechanisms where applicable

Our Role as a Data Processor

You retain full ownership and control of all data you submit to our services, whether hosted on your premises or our servers. WebProject acts solely as a Data Processor under UK GDPR, processing personal data only on your documented instructions as the Data Controller.

Our processing activities are limited to providing hosting, storage, and technical support services as specified in our Data Processing Agreement. We do not access, analyse, or otherwise process your data for our own purposes beyond what is strictly necessary to provide our services.

Data sharing and legal requests:

  • We do not share your data with third parties except as explicitly authorised by you or required by law
  • All requests from law enforcement or regulatory authorities are handled through our established legal request procedures
  • We require proper legal documentation before responding to any data access requests
  • We will notify you of any legal requests for your data unless legally prohibited from doing so
  • All data access is logged and auditable

Data Location and International Transfers

Your data is stored on our infrastructure located in the following UK and approved jurisdictions:

  • UK Data Centers:
    • iomart Maidenhead - United Kingdom, Maidenhead (Tier 4 facility)
    • OVH Erith - London, UK
  • EU Data Centers (with adequacy decisions):
    • OVH RBX1-RBX5 - France, Roubaix

International Transfer Compliance:

  • All data transfers outside the UK comply with UK GDPR international transfer requirements
  • Transfers to EU countries rely on the UK-EU adequacy decision
  • Any transfers to non-adequate countries use appropriate safeguards (Standard Contractual Clauses, UK IDTA, or other approved mechanisms)
  • Regular review of adequacy decisions and transfer mechanisms
  • Data localisation options available for customers requiring UK-only storage

Backup and Redundancy:

  • Microsoft Azure backup services in UK data centers (Durham, London, Cardiff)
  • All backup data remains within UK jurisdiction
  • Encrypted backup transmission and storage
  • Regular backup testing and integrity verification

Security

Maintaining security

All our employees keep up to date with all technical aspects of security and ensure the ongoing security of our servers and systems. This means that any security patches are applied to our systems as a matter of priority and any changes or updates to our own systems are done so, always, with data protection and privacy in mind and where appropriate, in discussion with our customers. Where we have an agreement in place with our customers to do so, we also maintain the security of our customer's own servers or hosted applications.

Access to servers

Remote admin access to our servers is strictly restricted to key personnel within our Technical Support team. Our team will access a server only to resolve an issue reported by the client. Or to ensure that the Managed Hosting Service Level opted for by a client is met.

Data centre staff have physical access to the servers, but we have strict protocols in place to ensure they only do so, if requested by a member of our technical support team and such a request will only be in cases when they need to carry out a visual check of a server or carry out physical maintenance on the server itself.

WebProject employees

All WebProject employees are trained and made aware of their responsibilities under GDPR. This includes their responsibilities with regards to access, security and processing of any personal data stored on our servers.

Sub-Processors

We use the following sub-processors to provide our hosting and related services. All sub-processors have been verified for UK GDPR compliance and appropriate data processing agreements are in place.

  1. Amazon Web Services (AWS)
    We use Amazon SES (Simple Email Service) for sending transactional emails from our client area, including support tickets, invoices, account notifications, and contact form messages. All data processed through AWS remains within UK/EU regions.
  2. Microsoft 365
    We use Microsoft 365 for business email services. Internal copies of transactional emails are retained for logging and accountability purposes within UK data centers.
  3. MaxMind
    We use MaxMind for fraud prevention and spam detection. This involves automated processing of IP addresses to check against global spam databases. No personal identifying information (name, address, telephone number) is shared with MaxMind, and email addresses are not distributed to third parties.
  4. OVHcloud
    Our primary hosting infrastructure is provided by OVHcloud with data centers in the UK and France (both covered by UK adequacy decisions). OVHcloud is ISO 27001 certified and PCI-DSS compliant.
  5. iomart
    We use iomart's UK-based Tier 4 data center facilities for premium hosting services. iomart is ISO 9001, 27001, 22301, and PCI DSS certified.

Sub-processor Changes:

We will notify you of any intended changes to sub-processors and provide you with the opportunity to object. Current sub-processor list is available upon request.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

  • Data is retained in accordance with our Data Processing Agreement and your documented instructions
  • Upon termination of services, we will return or securely delete all personal data within 30 days, unless legally required to retain
  • Backup data is automatically purged in accordance with our backup retention schedule
  • Email logs and transaction records are retained for defined periods in line with legal and operational requirements

Changes to Our Approach

Should our approach to any aspect covered by this statement change in a way that impacts your data, we will notify you within a reasonable timeframe and in accordance with our contractual obligations. We will also update this public statement to reflect any material changes to our data processing practices.

Material changes include changes to our sub-processor list, data locations, security measures, or data processing purposes.

Data Breaches

In the unlikely event of a personal data breach occurring, we have established procedures to respond in accordance with UK GDPR requirements.

  • Detection and Assessment: We have monitoring systems in place to detect potential data breaches and procedures to assess the nature and severity of any incident
  • Notification to Controller: We will notify you without undue delay upon becoming aware of a breach affecting your personal data
  • ICO Reporting: If the breach is likely to result in a risk to the rights and freedoms of individuals, we will assist you in reporting to the Information Commissioner's Office (ICO) within 72 hours as required by UK GDPR
  • Data Subject Notification: Where the breach is likely to result in a high risk to the rights and freedoms of individuals, we will assist you in communicating with affected data subjects without undue delay
  • Documentation: We maintain records of all personal data breaches regardless of whether they require notification

Data Subject Rights

UK GDPR provides data subjects with several important rights. We are committed to facilitating the exercise of these rights in accordance with applicable law.

  • Right to Access (Subject Access Requests): Data subjects have the right to obtain confirmation as to whether personal data concerning them is being processed, and to obtain a copy of their personal data
  • Right to Rectification: Data subjects can request correction of inaccurate personal data or completion of incomplete data
  • Right to Erasure: Also known as the "right to be forgotten," data subjects can request deletion of their personal data in certain circumstances
  • Right to Restriction of Processing: Data subjects can request restriction of processing in specific situations
  • Right to Data Portability: Data subjects can request their personal data in a structured, commonly used, and machine-readable format
  • Right to Object: Data subjects can object to processing based on legitimate interests or direct marketing
  • Rights related to Automated Decision-Making: Protection against decisions based solely on automated processing that have legal or significant effects

We will respond to data subject requests within one month of receipt, in accordance with UK GDPR timeframes. This period may be extended by a further two months for complex requests, subject to notification.

ICO Registration

WebProject is registered with the Information Commissioner's Office (ICO) as a data controller. Our registration details are available on the ICO website.

For verification, you can search our registration on the ICO register at: https://ico.org.uk/

We Help You to Comply with UK GDPR

Our compliance framework is designed to support your own UK GDPR compliance obligations. This statement demonstrates our commitment to data protection and provides the assurances required for your compliance due diligence.

We will assist you and the Information Commissioner's Office with any queries relating to our data processing activities and compliance measures.

Upon request, we can provide:

  • Data Processing Agreement (DPA) meeting UK GDPR requirements
  • Technical and organisational measures (TOMs) documentation
  • Sub-processor information and lists
  • Evidence of our ICO registration
  • Security and compliance certifications
  • Assistance with data subject request handling where relevant

Your Right to Complain

If you believe that our processing of your personal data does not comply with UK GDPR, you have the right to complain to the Information Commissioner's Office (ICO). You can contact the ICO at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Website: https://ico.org.uk/

Helpline: 0303 123 1113

Data Protection Contact

Any questions, queries or requests for further information regarding our UK GDPR compliance should be sent to:

WebProject, 9 Orchard Road, Stevenage, Hertfordshire SG1 3HD

Email: [email protected]

Phone: +44 (0) 2034 328891

Fax: +44 (0) 2036 032006

Disclaimer

This document is provided for informational purposes only and does not constitute legal advice. Organisations should consult with qualified legal professionals to ensure full compliance with UK GDPR, Data Protection Act 2018, and any other applicable regulations. This statement was last updated in March 2026 and will be reviewed regularly to ensure ongoing compliance with current data protection requirements.